tpm2: Introduce PCRPolicyDataError for PCR policy errors.

This makes it possible to distinguish between errors that can be
rectified by calling SealedKeyData.UpdatePCRProtectionPolicy, and errors
that require a keyslot to be replaced (which should be handled by
reprovisioning).

For v3 keys, PCR policy signature verification can fail as a result of
an incorrect approved digest, invalid signature or invalid PCR policy
reference. The approved digest and signature are updated when the PCR
policy is updated. This PR also ensures that the stored PCR policy
reference is refreshed whenever the PCR policy is updated. As a
consequence, the validity of the PCR policy reference is no longer
verified in keyData_v3.ValidateData.

Note that PCR policy signature verification could also fail because the
public key is invalid. This would still result in a PCRPolicyDataError
error being returned, but a subsequent attempt to update the PCR policy
would result in an InvalidKeyDataError being returned. In this case, the
keyslot would need to be replaced (likely by reprovisioning). A future
PR may improve this so that the stored public key is refreshed from the
supplied primary key.

Author: chrisccoulson

internal/compattest/v0_test.go

@@ -89,7 +89,7 @@ func (s *compatTestV0Suite) TestRevokeOldPCRProtectionPolicies(c *C) {
 	c.Check(k.UpdatePCRProtectionPolicyV0(s.TPM(), s.absPath("pud"), profile), IsNil)
 	c.Check(k.RevokeOldPCRProtectionPoliciesV0(s.TPM(), s.absPath("pud")), IsNil)
 	s.replayPCRSequenceFromFile(c, s.absPath("pcrSequence.1"))
-	s.testUnsealErrorMatchesCommon(c, "invalid key data: cannot complete authorization policy assertions: the PCR policy has been revoked")
+	s.testUnsealErrorMatchesCommon(c, "invalid PCR policy data: cannot complete authorization policy assertions: the PCR policy has been revoked")
 }
 
 func (s *compatTestV0Suite) TestUpdateKeyPCRProtectionPolicyAndUnseal(c *C) {
@@ -130,5 +130,5 @@ func (s *compatTestV0Suite) TestUnsealAfterLock(c *C) {
 	// but keep this here just to make sure.
 	s.replayPCRSequenceFromFile(c, s.absPath("pcrSequence.1"))
 	c.Assert(secboot_tpm2.BlockPCRProtectionPolicies(s.TPM(), []int{12}), IsNil)
-	s.testUnsealErrorMatchesCommon(c, "invalid key data: cannot complete authorization policy assertions: cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
+	s.testUnsealErrorMatchesCommon(c, "invalid PCR policy data: cannot complete authorization policy assertions: cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
 }

internal/compattest/v1_test.go

@@ -78,7 +78,7 @@ func (s *compatTestV1Suite) TestRevokeOldPCRProtectionPolicies(c *C) {
 	c.Check(k.UpdatePCRProtectionPolicy(s.TPM(), s.readFile(c, "authKey"), profile), IsNil)
 	c.Check(k.RevokeOldPCRProtectionPolicies(s.TPM(), s.readFile(c, "authKey")), IsNil)
 	s.replayPCRSequenceFromFile(c, s.absPath("pcrSequence.1"))
-	s.testUnsealErrorMatchesCommon(c, "invalid key data: cannot complete authorization policy assertions: the PCR policy has been revoked")
+	s.testUnsealErrorMatchesCommon(c, "invalid PCR policy data: cannot complete authorization policy assertions: the PCR policy has been revoked")
 }
 
 func (s *compatTestV1Suite) TestUpdateKeyPCRProtectionPolicyAndUnseal(c *C) {
@@ -116,5 +116,5 @@ func (s *compatTestV1Suite) TestUpdateKeyPCRProtectionPolicyAfterLock(c *C) {
 func (s *compatTestV1Suite) TestUnsealAfterLock(c *C) {
 	s.replayPCRSequenceFromFile(c, s.absPath("pcrSequence.1"))
 	c.Assert(secboot_tpm2.BlockPCRProtectionPolicies(s.TPM(), []int{12}), IsNil)
-	s.testUnsealErrorMatchesCommon(c, "invalid key data: cannot complete authorization policy assertions: cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
+	s.testUnsealErrorMatchesCommon(c, "invalid PCR policy data: cannot complete authorization policy assertions: cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
 }

tpm2/errors.go

@@ -77,9 +77,10 @@ func (e AuthFailError) Error() string {
 	return fmt.Sprintf("cannot access resource at handle %v because an authorization check failed", e.Handle)
 }
 
-// InvalidKeyDataError indicates that the provided key data file is invalid. This error may also be returned in some
-// scenarious where the TPM is incorrectly provisioned, but it isn't possible to determine whether the error is with
-// the provisioning status or because the key data file is invalid.
+// InvalidKeyDataError indicates that the [SealedKeyData] or [SealedKeyObject] is invalid. This error may also
+// be returned in some scenarious where the TPM is incorrectly provisioned, but it isn't possible to determine
+// whether the error is with the provisioning status or because the key data is invalid. This error generally
+// means that the key cannot be recovered.
 type InvalidKeyDataError struct {
 	msg string
 }
@@ -92,3 +93,25 @@ func isInvalidKeyDataError(err error) bool {
 	var e InvalidKeyDataError
 	return xerrors.As(err, &e)
 }
+
+// PCRPolicyDataError may be returned from one of the [secboot.PlatformKeyDataHandler] methods or
+// [SealedKeyObject.UnsealFromTPM] if the PCR policy is invalid, either because the current PCR values
+// are not part of the currently approved policy, or the approved policy digest or signature is
+// invalid. This can generally be repaired by calling [SealedKeyData.UpdatePCRProtectionPolicy] or
+// [SealedKeyObject.UpdatePCRProtectionPolicy].
+//
+// Note that in some cases, this error may occur because the public key used to verify the PCR
+// policy is invalid. If this is the case, an attempt to update the PCR policy will fail with an
+// [InvalidKeyDataError]. A future update may improve this so that updating the PCR policy also refreshes
+// the public key.
+type PCRPolicyDataError struct {
+	err error
+}
+
+func (e *PCRPolicyDataError) Error() string {
+	return fmt.Sprintf("invalid PCR policy data: %v", e.err)
+}
+
+func (e *PCRPolicyDataError) Unwrap() error {
+	return e.err
+}

tpm2/export_test.go

@@ -42,6 +42,7 @@ var (
 	ComputeV3PcrPolicyRef                   = computeV3PcrPolicyRef
 	DeriveV3PolicyAuthKey                   = deriveV3PolicyAuthKey
 	ErrSessionDigestNotFound                = errSessionDigestNotFound
+	IsPCRPolicyDataError                    = isPCRPolicyDataError
 	IsPolicyDataError                       = isPolicyDataError
 	MakeSealedKeyData                       = makeSealedKeyData
 	MakeKeyDataNoAuth                       = makeKeyDataNoAuth
@@ -127,9 +128,10 @@ type PcrPolicyData_v3 = pcrPolicyData_v3
 
 type PcrPolicyParams = pcrPolicyParams
 
-func NewPcrPolicyParams(key secboot.PrimaryKey, pcrs tpm2.PCRSelectionList, pcrDigests tpm2.DigestList, policyCounter *tpm2.NVPublic, policySequence uint64) *PcrPolicyParams {
+func NewPcrPolicyParams(key secboot.PrimaryKey, role []byte, pcrs tpm2.PCRSelectionList, pcrDigests tpm2.DigestList, policyCounter *tpm2.NVPublic, policySequence uint64) *PcrPolicyParams {
 	return &PcrPolicyParams{
 		key:            key,
+		role:           role,
 		pcrs:           pcrs,
 		pcrDigests:     pcrDigests,
 		policyCounter:  policyCounter,
@@ -238,7 +240,7 @@ func MockSecbootNewKeyDataWithPassphrase(fn func(*secboot.KeyWithPassphraseParam
 	}
 }
 
-func MockSkdbUpdatePCRProtectionPolicyNoValidate(fn func(*sealedKeyDataBase, *tpm2.TPMContext, secboot.PrimaryKey, *tpm2.NVPublic, *PCRProtectionProfile, PcrPolicyVersionOption) error) (restore func()) {
+func MockSkdbUpdatePCRProtectionPolicyNoValidate(fn func(*sealedKeyDataBase, *tpm2.TPMContext, secboot.PrimaryKey, string, *tpm2.NVPublic, *PCRProtectionProfile, PcrPolicyVersionOption) error) (restore func()) {
 	orig := skdbUpdatePCRProtectionPolicyNoValidate
 	skdbUpdatePCRProtectionPolicyNoValidate = fn
 	return func() {

tpm2/keydata_v3.go

@@ -139,16 +139,15 @@ func (d *keyData_v3) ValidateData(tpm *tpm2.TPMContext, role []byte) (tpm2.Resou
 		return nil, keyDataError{fmt.Errorf("name algorithm for signing key is invalid or not available: %v", authPublicKey.NameAlg)}
 	}
 	pcrPolicyRef := computeV3PcrPolicyRefFromCounterContext(authPublicKey.NameAlg, role, pcrPolicyCounter)
-	if !bytes.Equal(pcrPolicyRef, d.PolicyData.StaticData.PCRPolicyRef) {
-		return nil, keyDataError{errors.New("unexpected PCR policy ref")}
-	}
+	// We don't check p.PolicyData.StaticData.PCRPolicyRef here because it gets updated
+	// in UpdatePCRProtectionPolicy.
 
 	// Make sure that the static authorization policy data is consistent with the sealed key object's policy.
 	if !d.KeyPublic.NameAlg.Available() {
 		return nil, keyDataError{fmt.Errorf("cannot determine if static authorization policy matches sealed key object: algorithm %v unavailable", d.KeyPublic.NameAlg)}
 	}
 	builder := policyutil.NewPolicyBuilder(d.KeyPublic.NameAlg)
-	builder.RootBranch().PolicyAuthorize(d.PolicyData.StaticData.PCRPolicyRef, authPublicKey)
+	builder.RootBranch().PolicyAuthorize(pcrPolicyRef, authPublicKey)
 	if d.PolicyData.StaticData.RequireAuthValue {
 		builder.RootBranch().PolicyAuthValue()
 	}

tpm2/keydata_v3_test.go

@@ -225,6 +225,19 @@ func (s *keyDataV3Suite) TestValidateOK3(c *C) {
 	c.Check(pcrPolicyCounter.Name(), DeepEquals, pcrPolicyCounterName)
 }
 
+func (s *keyDataV3Suite) TestValidateOK4(c *C) {
+	role := "foo"
+	data, pcrPolicyCounterName := s.newMockKeyData(c, s.NextAvailableHandle(c, 0x0180ff00), role, false)
+
+	// An invalid PCR policy ref shouldn't trigger an error because it will be
+	// corrected when updating the PCR policy.
+	data.(*KeyData_v3).PolicyData.StaticData.PCRPolicyRef = []byte("1234")
+
+	pcrPolicyCounter, err := data.ValidateData(s.TPM().TPMContext, []byte(role))
+	c.Check(err, IsNil)
+	c.Check(pcrPolicyCounter.Name(), DeepEquals, pcrPolicyCounterName)
+}
+
 func (s *keyDataV3Suite) TestValidateImportedOK(c *C) {
 	role := "foo"
 	data := s.newMockImportableKeyData(c, role, false)
@@ -351,7 +364,7 @@ func (s *keyDataV3Suite) TestValidateWrongPolicyCounter1(c *C) {
 
 	_, err = data.ValidateData(s.TPM().TPMContext, []byte(role))
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
-	c.Check(err, ErrorMatches, "unexpected PCR policy ref")
+	c.Check(err, ErrorMatches, "the sealed key object's authorization policy is inconsistent with the associated metadata or persistent TPM resources")
 }
 
 func (s *keyDataV3Suite) TestValidateWrongPolicyCounter2(c *C) {
@@ -362,7 +375,7 @@ func (s *keyDataV3Suite) TestValidateWrongPolicyCounter2(c *C) {
 
 	_, err := data.ValidateData(s.TPM().TPMContext, []byte(role))
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
-	c.Check(err, ErrorMatches, "unexpected PCR policy ref")
+	c.Check(err, ErrorMatches, "the sealed key object's authorization policy is inconsistent with the associated metadata or persistent TPM resources")
 }
 
 func (s *keyDataV3Suite) TestValidateWrongPolicyCounter3(c *C) {
@@ -379,7 +392,7 @@ func (s *keyDataV3Suite) TestValidateWrongPolicyCounter3(c *C) {
 
 	_, err := data.ValidateData(s.TPM().TPMContext, []byte(role))
 	c.Check(err, testutil.ConvertibleTo, KeyDataError{})
-	c.Check(err, ErrorMatches, "unexpected PCR policy ref")
+	c.Check(err, ErrorMatches, "the sealed key object's authorization policy is inconsistent with the associated metadata or persistent TPM resources")
 }
 
 func (s *keyDataV3Suite) TestSerialization(c *C) {
@@ -399,7 +412,7 @@ func (s *keyDataV3Suite) TestValidateInvalidRole(c *C) {
 	data, _ := s.newMockKeyData(c, tpm2.HandleNull, authRole, false)
 
 	_, err := data.ValidateData(s.TPM().TPMContext, []byte(validationRole))
-	c.Check(err, ErrorMatches, "unexpected PCR policy ref")
+	c.Check(err, ErrorMatches, "the sealed key object's authorization policy is inconsistent with the associated metadata or persistent TPM resources")
 }
 
 func (s *keyDataV3Suite) TestValidateWrongAuthValueRequirement(c *C) {

tpm2/platform.go

@@ -81,6 +81,7 @@ func (h *platformKeyDataHandler) recoverKeysCommon(data *secboot.PlatformKeyData
 	symKey, err := k.unsealDataFromTPM(tpm.TPMContext, authKey, tpm.HmacSession())
 	if err != nil {
 		var e InvalidKeyDataError
+		var p *PCRPolicyDataError
 		switch {
 		case xerrors.As(err, &e):
 			return nil, &secboot.PlatformHandlerError{
@@ -98,6 +99,10 @@ func (h *platformKeyDataHandler) recoverKeysCommon(data *secboot.PlatformKeyData
 			return nil, &secboot.PlatformHandlerError{
 				Type: secboot.PlatformHandlerErrorInvalidAuthKey,
 				Err:  err}
+		case errors.As(err, &p):
+			return nil, &secboot.PlatformHandlerError{
+				Type: secboot.PlatformHandlerErrorIncompatibleRole,
+				Err:  err}
 		}
 		return nil, xerrors.Errorf("cannot unseal key: %w", err)
 	}

tpm2/platform_legacy.go

@@ -85,6 +85,7 @@ func (h *legacyPlatformKeyDataHandler) RecoverKeys(data *secboot.PlatformKeyData
 	key, authKey, err := k.UnsealFromTPM(tpm)
 	if err != nil {
 		var e InvalidKeyDataError
+		var p *PCRPolicyDataError
 		switch {
 		case xerrors.As(err, &e):
 			return nil, &secboot.PlatformHandlerError{
@@ -98,6 +99,10 @@ func (h *legacyPlatformKeyDataHandler) RecoverKeys(data *secboot.PlatformKeyData
 			return nil, &secboot.PlatformHandlerError{
 				Type: secboot.PlatformHandlerErrorUnavailable,
 				Err:  err}
+		case errors.As(err, &p):
+			return nil, &secboot.PlatformHandlerError{
+				Type: secboot.PlatformHandlerErrorIncompatibleRole,
+				Err:  err}
 		}
 		return nil, xerrors.Errorf("cannot unseal key: %w", err)
 	}

tpm2/platform_legacy_test.go

@@ -116,8 +116,8 @@ func (s *platformLegacySuite) TestRecoverKeysInvalidPCRPolicy(c *C) {
 	c.Assert(err, IsNil)
 
 	_, _, err = k.RecoverKeys()
-	c.Check(err, ErrorMatches, "invalid key data: cannot complete authorization policy assertions: "+
-		"cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
+	c.Check(err, ErrorMatches, "incompatible key data role params: invalid PCR policy data: cannot complete authorization "+
+		"policy assertions: cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
 }
 
 func (s *platformLegacySuite) TestRecoverKeysTPMLockout(c *C) {

tpm2/platform_test.go

@@ -465,8 +465,8 @@ func (s *platformSuite) TestRecoverKeysUnsealErrorHandlingInvalidPCRProfile(c *C
 		return ""
 	})
 	c.Assert(err, testutil.ConvertibleTo, &secboot.PlatformHandlerError{})
-	c.Check(err.(*secboot.PlatformHandlerError).Type, Equals, secboot.PlatformHandlerErrorInvalidData)
-	c.Check(err, ErrorMatches, "cannot complete authorization policy assertions: "+
+	c.Check(err.(*secboot.PlatformHandlerError).Type, Equals, secboot.PlatformHandlerErrorIncompatibleRole)
+	c.Check(err, ErrorMatches, "invalid PCR policy data: cannot complete authorization policy assertions: "+
 		"cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
 }
 
@@ -498,8 +498,8 @@ func (s *platformSuite) TestRecoverKeysUnsealErrorHandlingSealedKeyAccessLocked(
 		return ""
 	})
 	c.Assert(err, testutil.ConvertibleTo, &secboot.PlatformHandlerError{})
-	c.Check(err.(*secboot.PlatformHandlerError).Type, Equals, secboot.PlatformHandlerErrorInvalidData)
-	c.Check(err, ErrorMatches, "cannot complete authorization policy assertions: "+
+	c.Check(err.(*secboot.PlatformHandlerError).Type, Equals, secboot.PlatformHandlerErrorIncompatibleRole)
+	c.Check(err, ErrorMatches, "invalid PCR policy data: cannot complete authorization policy assertions: "+
 		"cannot execute PCR assertions: cannot execute PolicyOR assertions: current session digest not found in policy data")
 }